On March 29, 2022, a security researcher with the handle p1n93r disclosed a Spring Framework remote code execution (RCE) vulnerability, which was archived by vx-underground. This vulnerability, known as Spring4Shell, affects applications that use JDK v9 or above that run Apache Tomcat as the Servlet Container in a WAR package and use dependencies of the spring-webmvc or spring-webflux from the Spring Framework. This vulnerability is being tracked under CVE-2022-22965.

Note that due to the generality of the vulnerability, there could be other ways to exploit it.

This post is meant to provide guidelines and recommendations on how to prevent, detect, and mitigate this possible vulnerability. In general, TrustedSec recommends organizations perform the following:

• Actively scan systems or use software inventories to identify vulnerable versions of Spring Framework
• Update vulnerable versions of Spring Framework or apply mitigations
• Search for exploitation and post-exploitation activities

TrustedSec recommends upgrading Spring Boot to 2.6.6 and 2.5.12, and Spring Framework to version 5.3.18 and 5.2.20, per vendor guidance.

Affected Versions

• Spring Framework
  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older unsupported versions

Vendor Notifications

• Spring has released their RCE, early announcement
• VMware Tanzu has released their security advisory for CVE-2022-22965
• Cloudflare has release Web Application Firewall (WAF) guidance
• Sysdig’s blog post on CVE-2022-22965

Prevention and Mitigation

The primary way to mitigate and prevent exploitation of CVE-2022-22965 is by updating with the official Spring patch according to your application.

• Spring Boot 2.6.6
• Spring Boot 2.5.12
• Spring Framework 5.3.18 or Spring Framework 5.2.20 are not affected

If patching or upgrading is not available, manual options could help deter exploitation attempts. Note that testing prior to deployment will need to be conducted for efficacy and to validate that operations will not be interrupted.

Web Application Firewall (WAF) Policy

Consider implementing WAF rule on exposed Spring Framework systems with the following policies.

“class.*”, “Class.*”, “*.class.*”, “*.Class.*”

NOTE: Cloudflare is currently investigating an emergency release rule for protection against CVE-2022-22965.

Implementing a Denylist in Spring

As a temporary mitigation, create a global class where the controller is located, making sure that DataBinder denies the same pattern as the above WAF policy as recommended by Spring.

@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {

    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
         dataBinder.setDisallowedFields(denylist);
    }

}

There is also a safer implementation of the above suggested workaround by extending the RequestMappingHandlerAdapter to update WebDataBinder after initialization, implementing a declaration of WebMvcRegistration for the Spring MVC or WebFluxRegistration of the Spring WebFlux dependency.

CVE-2022-22965 Detection

Below are detection opportunities for CVE-2022-22965 that can be used to identify vulnerability.

• Florian Roth created the following Yara rule that will detect possible webshells being implemented and proof-of-concept exploit attempts
• Hilko Bengen created a local CVE-2022-22965 vulnerability scanner written in Go (cross-platform compatible) that searches for Spring artifacts obtained via the Maven Central repository
• The OWASP Dependency Check tool can also be utilized to produce an aggregate report of projects and child projects doing the following command (additional properties for OWASP Dependency Check):

mvn org.owasp:dependency-check-maven:aggregate

Different Vulnerabilities Related to Spring, CVE-2022-22963

The CVE-2022-22963 vulnerability is specific to the Spring Cloud Function (not to be confused with CVE-2022-22965) in versions 3.16, 3.2.2, and older unsupported versions when using the routing function. While using the routing routine, it might be possible for the user to provide custom Spring Expression Language (SpEL) data as a routing-expression that might result in local resource access.

There is a great infographic detailing the different vulnerabilities in Spring Core to aid in distinguishing the difference created by Colin Cowie of Sophos.

Additional Resources

The security community has quickly come together to gather information (and misinformation) with the additional resources shown below.

Git commit of the deprecated SerializationUtils#deserialize for CVE-2022-22963 - https://github.com/spring-projects/spring-framework/pull/28075

Infographic - https://twitter.com/th3_protoCOL/status/1509201539461619715

Vendor - https://tanzu.vmware.com/security/

Blogs

https://buaq.net/go-108269.html

https://www.praetorian.com/blog/spring-core-jdk9-rce/

https://bugalert.org/content/notices/2022-03-30-spring.html

https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

https://isc.sans.edu/diary/rss/28498

https://www.bleepingcomputer.com/news/security/new-spring-java-framework-zero-day-allows-remote-code-execution/

Proof of Concepts

https://github.com/craig/SpringCore0day/blob/main/exp.py

https://its.pku.edu.cn/announce/tz20220330110501.jsp

https://twitter.com/vxunderground/status/1509170582469943303?s=21&t=Z7s-rk8lmTyWv8lBrZ7jUg

https://github.com/RanDengShiFu/CVE-2022-22963

Detections

https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar

https://github.com/hillu/local-spring-vuln-scanner

https://twitter.com/SeanWrightSec/status/1509576348452499457

https://twitter.com/RandoriAttack/status/1509298490106593283